Guards
Your agent is about to refund $4,200. Or drop a database. Or email every customer in your CRM.
Guards evaluate tool calls before they execute and decide what happens next: allow, block, modify the input, or escalate to a human. Every decision is recorded as a span on your dashboard.
from staso import guard
result = guard(tool_name="process_refund", tool_input={"amount": 4200, "customer_id": "cust-99"})
if result.action == "block":
print(f"Blocked: {result.reason}")
elif result.action == "modify":
# Guard sanitized the input
tool_input = result.modified_inputHow It Works
- Your agent decides to call a tool
guard()sends the tool name and input to Staso for evaluation- Staso runs your configured rules against the action
- You get back a
GuardResultwith the decision
Rules are configured in your Staso dashboard -- no code changes needed to add, edit, or disable them.
Four Actions
| Action | What Happens | When to Use |
|---|---|---|
| allow | Tool executes normally | Action passes all rules |
| block | Tool is prevented from running | Dangerous or policy-violating action |
| modify | Tool runs with sanitized input | Input needs adjustment (PII redaction, limit capping) |
| escalate | Paused until a human approves or denies | High-value or ambiguous decisions |
Where Guards Run
Guards work across every Staso integration:
| Integration | How Guards Run | What Happens on Block |
|---|---|---|
| Your own agents | You call guard() explicitly | You decide -- raise an error, skip the tool, return a fallback |
| Anthropic SDK | Auto-evaluated after each response | Guard results recorded on span metadata |
| OpenAI SDK | Auto-evaluated after each response | Guard results recorded on span metadata |
| Claude Code | Auto-evaluated before each tool | Tool blocked or input modified in real-time |
| Codex | Auto-evaluated before each tool | Tool blocked or input modified in real-time |
Fail-Open by Default
If the guard service is unreachable or returns an error, the tool executes normally. Your agent never crashes because of a guard timeout. Guard failures are logged as warnings.
Evaluation Context Scope
Rules can evaluate at two levels:
| Scope | What It Evaluates | Best For |
|---|---|---|
| Tool-level | Individual tool call — name, input, output | Granular control: block a specific action, redact PII from one call |
| Trace-level | Full agent execution — all spans, tool calls, and LLM responses | End-to-end validation: detect multi-step policy violations, cost escalation across a session |
Configure scope per rule in your dashboard. Tool-level is the default. Trace-level rules run after the full execution completes, giving them access to the entire conversation context.
Audit Mode
Every rule can run in audit mode. Audit rules evaluate and record what would have been blocked, but don't actually block anything. Use this to validate new rules before enforcing them.
On your dashboard, audit violations show up as guard:would-block spans -- so you can see exactly what would have triggered before you flip the switch.
What's Next
- Integration guide -- add guards to your agent in 3 minutes
- Rules and actions -- how rules work, action types, severity levels
- Escalation -- human-in-the-loop approval workflows